Geek Answers Handbook

Implement single sign-on in .NET Web Farm for multiple e-commerce sites with WIF?

I have what I think is a rather complicated question, so I will do my best to formulate it here.

I am looking for a single sign-on (SSO) solution. I know many options, but most of them have worked out, as I add criteria that they must fulfill. Here are the criteria:

1.) SSO needs to be added to the existing "system".
2.) The existing "system" consists of the number of sites "X".
3.) All x sites are e-commerce.
4.) All websites are owned by company Y, for which 95% of the system was built internally.
5.) Each of the X websites is located in one web farm.
6.) All websites have the following components:

  • DAL (Data Access Level)
  • Database (baskets, orders, users, inventory, etc.)
  • Authentication (Forms Auth in both WebForms and MVC).

7.) In order for the current environment to work, the machine key is already synchronized between the servers with load balancing (and was for a while).
8.) High availability and stability are required because of the high volume of traffic.

All of these criteria led me along the path of WIF and custom STS for use with our existing membership authentication services. Things like OpenID and other open source solutions seem to be inclined towards interoperability between companies; Which is not needed or not needed. The ideal solution will be 100% internal and allow the user to log on to site β€œ1”, do what he wants, and then go to site β€œ2” (also located behind a load balancer and, possibly, even on the same web server, as the user was for the site "1") and must already be registered.

Here is a list of alternative methods that I reviewed and the corresponding reason for eliminating them (or should I review some of these alternatives?).

  • OpenID: This was ruled out for several reasons, mainly because my organization is looking for a β€œnative” SSO and integration with external websites or the identity system used with external websites is not desirable.
  • CAS: For the most part, this also seems like a decent alternative. Ultimately, this was ruled out, because the technologies that it uses (Java, Apache, Maven, etc.) would require additional effort and money to understand, implement, maintain and expand (primarily the .NET store).
  • OAuth: It looks like it's more focused on protecting secure data through web services. Fully custom ( http://www.codeproject.com/KB/aspnet/CrossDomainSSOModel.aspx ): A fully custom approach may have too much runtime and security is more worried about this method.
  • DotNetOpenAuth: dependent / based on OpenID.

So, the question is: will WIF work in our existing environment, taking into account load balancing and already common user account data through sites or is there a better approach?

Please let me know if you need any clarification.

EDIT:

Just to clarify what I want to achieve (or think what I'm trying to achieve, given the study):

Current setting (JPEG hosted on Dropbox)
Desired setting (JPEG placed in Dropbox)

+7
source share
1 answer

ADFS v2.0 only authenticates against AD. If your current authentication method is something else (like SQL Server), then you need a custom STS.

Are these applications all ASP.NET?

If so, they should all be allowed using WIF.

If not, if, for example, Java, you have to protect them with another solution, for example. OpenSSO / Ping Federate and integrates this product with ADFS.

If classic ASP, there are ways to allow ADFS to handle authentication, but authorization is a problem. Roles will be in the claims object, which Classic ASP does not have access to. You can also use C2WTS for this.

Are you looking at authentication or authorization, or both? ADFS provides roles within the claims object, so the existing authorization mechanism in your programs may change.

You can download the balance of ADFS sites.

ADFS can certainly enable SSO on all of your sites. It also potentially allows you to integrate with other sites / organizations and use external credentials (like Facebook) through Azure ACS, if that's what you need to keep in mind in the future.

It also integrates with SharePoint 2010, CRM Dynamics 2010, and Office 365, all of which are included.

+2
source

More articles:


All Articles